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ABSTRACT 



A potential bias in the generation of a private key is avoided by selecting the key and comparing 
it against the system parameters. If a predetermined condition is attained it is accepted. If not it is 
rejected and a new key is generated. 
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METHOD OF PUBLIC KEY GEIVERATION 

FIELD OF THE DWENTION 

The present invention relates to public key cryptosystems and more particularly to key 
generation within such systems. 

BACKGROUND OF THE INVENTION 

The basic structure of a public key cryptosystem is well known and has become ubiquitous with 
security in data communication systems. Such systems use a private key k and a corresponding 
public key a ^ where a is a generator of the group. Thus one party may encrypt a message m 
with the intended recipients pubUc key and the recipient may apply his private key to decrypt it. 

Similarly, the cryptosystems may be used for key agreement protocols where each party 
exponentiates the other party's public key with their own private key. Thus party A will take B's 
public key a** and exponentiate it with A's private key a to obtain a session key a*^ Sunilarly, B 
will take A's public key and exponentiate it with B's private key b to obtain the same session 
key a®^. Thereafter data may be transferred using a symmetric key protocol utilizing the common 
session key. 

Public key cryptosystems may also be used to sign messages to authenticate the author 
and/or the contents. In this case the sender will sign a message using his private key and a 
recipient can verify the message by applying the public key of the sender. If the received 
message and the recovered message correspond then the authenticity is verified. 

The public key cryptosystems rely on the intractability of the discrete log problem in 
finite field arithmetic, that is even when the generator a and public key is known, it is 
computationally infeasible to obtain the corresponding private key. The security of such systems 
does therefore depend on the private key remaining secret. To mitigate the opportunity of 
disclosing the private key, protocols have been developed that use a pair of private keys and 
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corresponding public keys, referred to as long term and short term or ephemeral key pairs 
respectively. The ephemeral private key is generated at the start of each session between a pair of 
correspondents, usually by a random number generator. The corresponding ephemeral public key 
is generated and the resultant key pair used in one of the possible operations described above. 
The long-term public key is utilized to authenticate the correspondent throu^ an appropriate 
protocol. Once the session is terminated, the ephemeral key is securely discarded and a new 
ephemeral key generated for a new session. 

Some of the more popular protocols for signature are the ElGamal family of signature 
schemes such as the Digital Signature Algorithm or DSA. The DSA algorithm utilizes both long 
term and ephemeral keys to generate a signature of the message. The DSA domain parameters 
are preselected. They consist of a prime number p of a predetermined length, by way of example 
1024 bits; a prime number q of a predetermined bit length, by way of examplel 60 bits, where q 
divides p-1; a generator a lying between 2 and p-1 and which satisfies the condition 
(a*^modp)=l, and; a cryptographic hash function H, such as SHA-1 . 

The DSA requires the signatory to select an ephemeral key k lying between land q-1. A 
first signature component r is generated from the generator a such that r = (a*" mod p) mod q, A 
second signature component s is generated such that s = k"^(H(m)+dr) mod q, and d is the long 
term private key of the signatory. The signature on the message m is (r,s). The signature may be 
verified by computing 

H(m), 

ui =s'^H(m)mod q 
U2 = s'Vmodq 

V = a"iP"2mod p, where p = mod p is the long term public key of the signatory and 
finally verifying that r = v mod q. The use of both the ephemeral and long-term keys in the 
signature binds the identity of the signatory to the ephemeral key but does not render the long- 
term key vulnerable. 

A similar signature protocol known as ECDSA may be used for elliptic curve 
cryptosystems. In this protocol k is selected in the interval 1 to n- 1 where n is an / bit prime. The 
signature component r is generated by converting the x coordinate of the public key kP, where P 
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is the seed point on the curve, to an integer mod n, i.e. r = Xkp mod n. The component s = k' 
'(H(m)+dr) mod n and the signature on the message m is (r,s). 

It will be apparent in ElGamal signature schemes such as the DSA and ECDSA, that if an 
ephemeral key k and the associated message m and signature (r,s) is obtained it may be used to 
yield the long term private key d and thereafter each of the ephemeral keys k can be obtained. 
Neither the DSA nor the ECDSA inherently disclose any information about the public key k. 
They both require the selection of k to be performed by a random number generator and it will 
therefore have a uniform distribution throughout the defined interval. However the 
implementation of the DSA may be done in such a way as to inadvertently introduce a bias in to 
the selection of k. This small bias may be exploited to extract a value of the private key d and 
thereafter render the security of the system vuhierable. One such implementation is the DSS 
mandated by the National Institute of Standards and Technology (NIST) FIPS 186-2 Standard. 
The DSS stipulates the manner in which an integer is to be selected for use as a private key. A 
seed value, S V, is generated from a random number generator which is then hashed by a SHA-1 
hash fiinction to yield a bit string of predetennined length, typically 1 60 bits. The bit string 
represents an integer between 0 and 2*^-1. However this integer could be greater than the prime 
q and so the DSS requires the reduction of the integer mod q, i.e. k=SHA-l(seed) mod q. 

Accordingly the algorithm for selecting k may be expressed as :- 
if SHA-l(seed) > q then k<- SHA-l(seed) - q 
else k<-SHA-l(seed). 

With this algorithm it is to be expected that more values will lie in the first interval than the 
second and therefore there is a potential bias in the selection of k. 

Recent work by Daniel Bleichenbacher suggests that the modular reduction to obtain k 
introduces sufficient bias in to the selection of k that an examination of 2^^ signatures could yield 
the private key d in 2^ steps using 2^ memory units. This suggests that there is a need for the 
careful selection of the ephemeral key k. 



CA. 02329590 2000-12-27 



SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to obviate or mitigate the above 
disadvantages in the generation of a private key. 

5 

In general terms the present invention provides a key generation technique in which any 
bias is eliminated during the selection of the key. 

BRIEF DESCRIPTION OF THE DRAWINGS 

10 

Embodiments of the invention will now be described by way of example only with reference to 
the accompanying drawings in which:- 

Figure 1 is a schematic representation of a data communication system: 

15 

Figure 2 is a flow chart showing a first embodiment of key generation; 
Figure 3 is a flow chart showing a second embodiment; 
20 Figure 4 is a flow chart showing a third embodiment; 

Figure 5 is a flow chart showing a fourth embodiment; 
Figure 6 is a flow chart showing a fifth embodiment; and 

25 

Figure 7 is a flow chart showing a sixth embodiment. 
DESCRIPTION OF THE PREFERRED EMBODIMENTS 

30 

Referring, therefore to figure 1, a data conrunimication system 10 includes a pair of 
correspondents 12, 14 connected by a communication link 16. The link 16may be a dedicated 
Imk, a multipurpose link such as a telephone connection or a wireless link depending on the 
particular applications. Similarly, the correspondents 12, 14 may be computer tenninals, point- 
35 of-sale devices, automated teller machines, constrained devices such as PDA's, cellphones, 
pagers or any other device enabled for communication over a link 16. 
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Each of the correspondents 12, 14 includes a secure cryptographic function 20 including 
a secure memory 22, an arithmetic processor 24 for performing finite field operations, a random 
number generator 26 and a cryptographic hash fiinction 28 for perfonning a secure cryptographic 
hash such as SHA-1 . The output of the fiinction 28 will be a bit string of predetermined length, 
typically 1 60 bits although other lengths such as 256, 384 or 5 12 are being used more firequently. 
It will be appreciated that each of these functions is controlled by a processor executing 
instructions to provide functionality and inter-operability as is well known in the art. 

The secure memory 22 includes a register 30 for storing a long-term private key, d, and a 
register 32 for storing an ephemeral private key k. The contents of the registers 30, 32 may be 
retrieved for use by the processor 24 for performing signatures, key exchange and key transport 
functions in accordance with the particular protocols to be executed under control of the 
processor. 

The long term private key, d, is generated and embedded at the time of manufacture or 
initialization of the cryptographic fiinction and has a corresponding long-term public key a*'. 
The long-term public key a*^ is stored in the memory 22 and is generally made available to other 
correspondents of the system 10. 

The ephemeral key, k, is generated at each signature or other cryptogr^hic exchange by 
one of the routines disclosed below vrith reference to figures 2 to 9. Once the key, k, and 
corresponding public key a*^ is generated, it is stored in the register 32 for use in the 
crjptographic protocol, such as the DSA or ECDSA described above. 

Referring, therefore, to figure 2, a first method of generating a key, k, originates by 
obtaining a seed value (SV) &om the random number generator 26. For the purposes of an 
example, it will be assumed that the cryptographic function is perfonned over a group of order q, 
where q is a prime represented as a bit string of predetermined length /. By way of example only 
it will be assumed that the length / is 160 bits, although, of course, other orders of the field may 
be used. 
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To provide a value of k of the appropriate order, the hash function 28 has an / bit output, 
e.g. a 1 60 bit output. The bit string generated by the random number generator 26 is greater than 
/ bits and is therefore hashed by the function 28 to produce an output H(seed) of / bits. 

The resultant output H(seed) is tested against the value of q and a decision made based on 
the relative values. If H(seed) < q then it is accepted for use as k. If not, the value is rejected 
and the random number generator is conditioned to generate a new value which is again hashed 
by the function 28 and tested. This loop continues until a satisfactory value is obtained. 

A further embodiment is shown in figure 3. In this embodiment, the ou^ut of the 
random number generator 26 is hashed by hash function 28 as before and tested against the value 
of q. If the H(seed) value is not accepted, the output of the random number generator 26 is 
incremented by a deterministic function and rehashed by function 28, 

The resultant value H(seed) is again tested and the procedure repeated until a satisfactory 
value of k is obtained. 

The output may be incremented by adding a particular value to the seed value at each 
iteration, or may be incremented by applying a non-linear deterministic function to the seed 
value. For example, the output may be incremented by applying the function/[seed) = a.seed^ +b 
mod 2^^^, where a and b are integer constants. 

A further embodiment is shown in figure 4 which has particular applicability to an elliptic 
curve cryptosystem. By way of example it will be assumed that a 1 63 bit string is required and 
that the output of the hash function 28 is 160 bits. 

The random number generator 26 generates a seed value S V which is processed by the 
hash function 28 to obtain a first output H(seed). 
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The seed value S V is incremented by a selected fiinction to provide a seed value SV+ 
which is further processed by the hash fiinction 28 to provide a second ou^ut H(seed+). 

The two outputs are then combined, typically by cocatenation, to produce a 320 bit string 
H(seed)//H(seed+). The excess bits, in this case 157 are rejected and the resultant value tested 
against the value of q. If the resultant value is less than q, it is accq)ted as the key k, if not the 
value is rejected. 

Upon rejection, the random number generator may generate a new value as disclosed in 
figure 2 or may increment the seed value as disclosed in figure 3. 

A further embodiment is shown in figure 5 which is similar to that of figure 4. In the 
embodiment of figure 5. the selection of the required / bit string is obtained by applying a /-bit 
wide masking window to the combined bit string. 

This is tested against the value of q and if acceptable is used as the value of k. If it is not 
acceptable it is rejected and the / bit window incremented along the combined bit string to obtain 
a new value. 

The values are tested and the window incremented until a satisfactory value is obtained. 

A similar procedure may be used directly on an extended output of the hash function 28 
as shown in figure 6 by applying a window to obtain the required / bit string. The bit string is 
tested against q and the window incremented until a satisfactory value of k is obtained 

As shown in figure 7, the value of k may be generated by utilizing a low Hamming 
weight integer obtained by combing the output of the random number generator 26 to facilitate 
computation of an intermediate public key a^. The integer is masked by combination with 
predetermined precomputed value k* to obtain the requisite Hamming weight for security. Such 
a procedure is disclosed in copending Canadian application 2,217,925. This procedure is 
modified to generate the low Hamming weight integer k as a bit string greater than /, for 
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example, a 1 80 bit string. The masking value k* is distributed throughout the 180 bit string and 
the resultant value reduced mod q to obtain a 163 bit value k". Note that the value a'^ ' can be 
efficiently computed by combining the precomputed valuea*^* with the efficiently computable 
value a*^. 

5 

A similar technique may be used by relying on multiplicative masking. In this embodiment the 
value of k is combined with a value p where p= a". The value of u is a secret value that is used 
to mask the low Hamming weight of k. Again, the values of u and the low Hamming weight 
number k can be chosen to have bit lengths greater than /, for example, bit lengths of 180. The 
10 resultant value is k" = u*' mod q. It will be appreciated that ' can be efficiently computed since 
p=a" is precomputed, and since k has low Hamming weight. 

Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art without 
1 5 departing from the spirit and scope of the mvention as outlined in the claims appended hereto. 
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